---
title: How do I practise this step?
course: intro_pentest
section: "Web-Based Exploitation"
layout: lesson
---

As mentioned at the beginning of this chapter, it is important that you learn to
master the basics of web exploitation. However, finding vulnerable websites on
which you are authorized to conduct these attacks can be difficult. Fortunately,
the fine folks at the Open Web Application Security Project (OWASP) organization
have developed a vulnerable platform for learning and practising web based
attacks. This project, called WebGoat is, is an intentionally misconfigured and
vulnerable web server.

WebGoat was built using J2EE, which means it’s capable of running on any system
that has the Java Runtime Environment installed. WebGoat includes more than 30
individual lessons that provide a realistic, scenario-driven learning
environment. Current lessons include all the attacks we described in this
chapter and many more. Most lessons include all the attacks we described in this
chapter and many more. Most lessons require you to perform a certain attack like
using SQL injection to bypass authentication. Each lesson comes complete with
hints that will help you solve the puzzle. As with other scenario-driven
exercises, it’s important to work hard and attempt to find the answer on your
own before using the help files.

If you’re making use of virtual machines in your hacking lab, you’ll need to
download and install WebGoad inside a virtual machine. As discussed previously,
WebGoat will run in either Linux or Windows, just be sure to install Java (JRE)
on your system prior to starting WebGoat.

WebGoat can be downloaded from [the official OWASP website](http://owasp.org/).
The file you need to download will require 7zip or a program capable of
unzipping a .7z file. Unzip the file and remember the location of the
uncompressed WebGoat folder. If you are running WebGoat on Windows, you can
navigate to the unzipped WebGoat folder and locate the “webgoat_8080.bat” file.
Execute this batch file by double-clicking it. A terminal window will appear;
you’ll need to leave this window open and running in order for WebGoat to
function properly. At this point, assuming that you are accessing WebGoat from
the same machine you are running the WebGoat server on, you can begin using
WebGoat by opening a browser and entering the URL:
localhost:8080/webgoat/attack.

If everything went properly, you’ll be presented with a log-in prompt. Both the
username and password are set to: guest.

As a final note, please pay attention to the warnings posted in the “readme”
file. Specifically you should understand that running WebGoat outside a lab
environment is extremely dangerous, as your system will be vulnerable to
attacks. Always use caution and only run WebGoat in a properly sandboxed
environment.
